From b501368d1823ad43cc109870d51bcd6619aefc31 Mon Sep 17 00:00:00 2001
From: 1dot75cm <sensor.wen@gmail.com>
Date: Sun, 25 Oct 2015 06:10:46 +0800
Subject: [PATCH] add selinux support for sogoupinyin

booleans:
- sogou_access_network, default True.
- sogou_enable_homedirs, default False.

see issue #32
---
 rpms/SELinux/sogou/sogoupinyin.fc |  20 ++++
 rpms/SELinux/sogou/sogoupinyin.if | 161 +++++++++++++++++++++++++
 rpms/SELinux/sogou/sogoupinyin.te | 182 ++++++++++++++++++++++++++++
 rpms/SPECS/sogou/sogoupinyin.spec | 193 +++++++++++++++++++++++++++---
 4 files changed, 537 insertions(+), 19 deletions(-)
 create mode 100644 rpms/SELinux/sogou/sogoupinyin.fc
 create mode 100644 rpms/SELinux/sogou/sogoupinyin.if
 create mode 100644 rpms/SELinux/sogou/sogoupinyin.te

diff --git a/rpms/SELinux/sogou/sogoupinyin.fc b/rpms/SELinux/sogou/sogoupinyin.fc
new file mode 100644
index 00000000..312343a9
--- /dev/null
+++ b/rpms/SELinux/sogou/sogoupinyin.fc
@@ -0,0 +1,20 @@
+HOME_DIR/\.config/SogouPY.*(/.*)?       gen_context(system_u:object_r:sogou_home_t,s0)
+HOME_DIR/\.config/sogou-qimpanel(/.*)?  gen_context(system_u:object_r:sogou_home_t,s0)
+HOME_DIR/\.config/Trolltech.conf.*      gen_context(system_u:object_r:sogou_home_t,s0)
+
+/usr/bin/sogou-qimpanel             --  gen_context(system_u:object_r:sogou_exec_t,s0)
+/usr/bin/sogou-qimpanel-watchdog    --  gen_context(system_u:object_r:sogou_exec_t,s0)
+/usr/bin/sogou-session              --  gen_context(system_u:object_r:sogou_exec_t,s0)
+/usr/bin/sogou-diag                 --  gen_context(system_u:object_r:sogou_exec_t,s0)
+/usr/bin/sogou-sys-notify           --  gen_context(system_u:object_r:sogou_exec_t,s0)
+
+/tmp/sogou-qimpanel.*               --  gen_context(system_u:object_r:sogou_tmp_t,s0)
+/tmp/sni-qt_sogou-qimpanel.*(/.*)?      gen_context(system_u:object_r:sogou_tmp_t,s0)
+
+/usr/share/fcitx-sogoupinyin(/.*)?      gen_context(system_u:object_r:sogou_data_t,s0)
+/usr/share/sogou-qimpanel(/.*)?         gen_context(system_u:object_r:sogou_data_t,s0)
+/usr/share/sogoupinyin(/.*)?            gen_context(system_u:object_r:sogou_data_t,s0)
+
+/usr/share/fcitx-sogoupinyin/SogouInput/(.*).ini  --  gen_context(system_u:object_r:sogou_conf_t,s0)
+/usr/share/fcitx-sogoupinyin/SogouInput/(.*).txt  --  gen_context(system_u:object_r:sogou_conf_t,s0)
+
diff --git a/rpms/SELinux/sogou/sogoupinyin.if b/rpms/SELinux/sogou/sogoupinyin.if
new file mode 100644
index 00000000..cbd73d16
--- /dev/null
+++ b/rpms/SELinux/sogou/sogoupinyin.if
@@ -0,0 +1,161 @@
+
+## <summary>policy for sogoupinyin</summary>
+
+#######################################
+## <summary>
+##      The role template for the sogoupinyin module.
+## </summary>
+## <desc>
+##      <p>
+##      This template allow a user role access the sogou_t domain.
+##      </p>
+## </desc>
+## <param name="role_prefix">
+##      <summary>
+##      The prefix of the user role (e.g., user
+##      is the prefix for user_r).
+##      </summary>
+## </param>
+## <param name="user_role">
+##      <summary>
+##      The user role.
+##      </summary>
+## </param>
+## <param name="user_domain">
+##      <summary>
+##      The user domain associated with the role.
+##      </summary>
+## </param>
+#
+interface(`sogou_role',`
+    gen_require(`
+        type sogou_t, sogou_exec_t, sogou_tmp_t, sogou_home_t;
+        type sogou_data_t, $1_dbusd_t, system_dbusd_t;
+        attribute_role sogou_roles;
+        class dbus { send_msg acquire_svc };
+    ')
+    # Allow the sogou_t domain for the user role
+    roleattribute $2 sogou_roles;
+    # ALlow domain transition for user domain to sogou_t
+    domtrans_pattern($3, sogou_exec_t, sogou_t)
+    # Interact with sogou process
+    ps_process_pattern($3, sogou_t)
+    allow $3 sogou_t : process { ptrace signal_perms };
+    # Manage sogou file resources
+    manage_dirs_pattern($3, sogou_home_t, sogou_home_t)
+    manage_files_pattern($3, sogou_home_t, sogou_home_t)
+    manage_lnk_files_pattern($3, sogou_home_t, sogou_home_t)
+    # Allow user to relabel the resources if needed
+    relabel_dirs_pattern($3, sogou_home_t, sogou_home_t)
+    relabel_files_pattern($3, sogou_home_t, sogou_home_t)
+    relabel_lnk_files_pattern($3, sogou_home_t, sogou_home_t)
+    # Delete /tmp/sogou*
+    allow $3 sogou_tmp_t : { sock_file file } unlink;
+    # fcitx read /usr/share/fcitx-sogoupinyin/SogouInput/Fuzzy.dat
+    allow $3 sogou_data_t:dir list_dir_perms;
+    allow $3 sogou_data_t:file read_file_perms;
+    # Allow Xorg -> sogou_t
+    allow $3 sogou_t:shm { unix_read read unix_write associate write getattr };
+    allow sogou_t { $1_dbusd_t $3 }:dbus { send_msg acquire_svc };
+    allow $3 sogou_t:dbus { send_msg acquire_svc };
+    # Allow connect socket
+    allow sogou_t { $1_dbusd_t $3 }:unix_stream_socket connectto;
+    allow sogou_t { $1_dbusd_t $3 }:process signull;
+    # dont access unix_stream_socket
+    dontaudit sogou_t system_dbusd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##      Create objects in a user home ".config" directory
+##      with an automatic type transition to
+##      a specified private type.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="private_type">
+##      <summary>
+##      The type of the object to create.
+##      </summary>
+## </param>
+## <param name="object_class">
+##      <summary>
+##      The class of the object to be created.
+##      </summary>
+## </param>
+## <param name="name" optional="true">
+##      <summary>
+##      The name of the object being created.
+##      </summary>
+## </param>
+#
+interface(`userdom_config_home_content_filetrans',`
+    gen_require(`
+        type config_home_t;
+    ')
+
+    filetrans_pattern($1, config_home_t, $2, $3, $4)
+    allow $1 user_home_dir_t:dir search_dir_perms;
+    files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Allow other domain to read sogou_home_t.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to read.
+## </summary>
+## </param>
+#
+interface(`sogou_read_home',`
+    gen_require(`
+        type sogou_home_t;
+    ')
+    userdom_search_user_home_dirs($1)
+    allow $1 sogou_home_t:dir list_dir_perms;
+    allow $1 sogou_home_t:file read_file_perms;
+    allow $1 sogou_home_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute sogou_exec_t in the sogou domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sogou_domtrans',`
+	gen_require(`
+		type sogou_t, sogou_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, sogou_exec_t, sogou_t)
+')
+
+######################################
+## <summary>
+##	Execute sogoupinyin in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sogou_exec',`
+	gen_require(`
+		type sogou_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, sogou_exec_t)
+')
diff --git a/rpms/SELinux/sogou/sogoupinyin.te b/rpms/SELinux/sogou/sogoupinyin.te
new file mode 100644
index 00000000..f2092b80
--- /dev/null
+++ b/rpms/SELinux/sogou/sogoupinyin.te
@@ -0,0 +1,182 @@
+policy_module(sogoupinyin, 1.0.0)
+
+# Allow user_r, staff_r, unconfined_r role access sogou_t
+optional_policy(`
+    gen_require(`
+        role user_r, staff_r, unconfined_r;
+        type user_t, staff_t, unconfined_t;
+    ')
+    sogou_role(user, user_r, user_t)
+    sogou_role(staff, staff_r, staff_t)
+    sogou_role(unconfined, unconfined_r, unconfined_t)
+')
+
+########################################
+#
+# Declarations
+#
+
+gen_require(`
+    type var_lib_t, config_usr_t;
+    attribute device_node;
+')
+
+attribute_role sogou_roles;
+
+# Booleans
+## <desc>
+## <p>
+## Allow the sogoupinyin access network
+## </p>
+## </desc>
+gen_tunable(sogou_access_network, true)
+
+## <desc>
+## <p>
+## Allow the sogoupinyin read home dirs
+## </p>
+## </desc>
+gen_tunable(sogou_enable_homedirs, false)
+
+# sogou-qimpanel
+type sogou_t;
+type sogou_exec_t;
+application_domain(sogou_t, sogou_exec_t)
+role sogou_roles types sogou_t;
+
+# ~/.config/SogouPY[.users], ~/.config/sogou-qimpanel
+type sogou_home_t;
+userdom_user_home_content(sogou_home_t)
+
+# PID/Socket files /tmp/sogou-qimpanel*
+type sogou_tmp_t;
+userdom_user_tmp_file(sogou_tmp_t)
+
+# Config files
+type sogou_conf_t;
+files_config_file(sogou_conf_t)
+
+# Data files
+type sogou_data_t;
+files_type(sogou_data_t)
+
+########################################
+#
+# sogoupinyin local policy
+#
+
+# If we would link to grant the application access to the user content.
+# userdom_manage_user_home_content_dirs()
+# userdom_manage_user_home_content_files()
+tunable_policy(`sogou_enable_homedirs',`
+    userdom_search_user_home_content(sogou_t)
+    userdom_read_user_home_content_files(sogou_t)
+')
+
+# Allow manage rights on ~/.config/SogouPY
+manage_dirs_pattern(sogou_t, sogou_home_t, sogou_home_t)
+manage_files_pattern(sogou_t, sogou_home_t, sogou_home_t)
+userdom_config_home_content_filetrans(sogou_t, sogou_home_t, dir, "SogouPY")
+userdom_config_home_content_filetrans(sogou_t, sogou_home_t, dir, "SogouPY.users")
+userdom_config_home_content_filetrans(sogou_t, sogou_home_t, dir, "sogou-qimpanel")
+userdom_config_home_content_filetrans(sogou_t, sogou_home_t, file)
+
+# Shared memory
+manage_files_pattern(sogou_t, sogou_tmp_t, sogou_tmp_t)
+#manage_lnk_files_pattern(sogou_t, sogou_tmp_t, sogou_tmp_t)
+#manage_fifo_files_pattern(sogou_t, sogou_tmp_t, sogou_tmp_t)
+manage_sock_files_pattern(sogou_t, sogou_tmp_t, sogou_tmp_t)
+#fs_tmpfs_filetrans(sogou_t, sogou_tmp_t, { file lnk_file fifo_file sock_file })
+files_tmp_filetrans(sogou_t, sogou_tmp_t, { dir file sock_file })
+
+# Application is an X11 application
+xserver_user_x_domain_template(sogou, sogou_t, sogou_tmp_t)
+
+# Network access boolean
+#tunable_policy(`!bool1 && bool2',`
+tunable_policy(`sogou_access_network',`
+    #sysnet_dns_name_resolve(sogou_t)
+    sysnet_read_config(sogou_t)
+
+    # tcp/udp socket
+    allow sogou_t self:netlink_route_socket { create bind getattr nlmsg_read write };
+    allow sogou_t self:udp_socket { create getattr connect read write };
+    allow sogou_t self:tcp_socket { create getattr connect read write getopt setopt };
+
+    # Network access
+    corenet_tcp_bind_generic_node(sogou_t)
+    corenet_udp_bind_generic_node(sogou_t)
+    # Central sogou services
+    corenet_tcp_connect_http_port(sogou_t)
+    corenet_tcp_connect_all_unreserved_ports(sogou_t)
+    # Listen for incoming communication
+    corenet_tcp_bind_all_unreserved_ports(sogou_t)
+    corenet_udp_bind_all_unreserved_ports(sogou_t)
+',`
+    # dont read /etc/rescolv.conf
+    sysnet_dontaudit_read_config(sogou_t)
+    # tcp/udp socket
+    dontaudit sogou_t self:netlink_route_socket create;
+    dontaudit sogou_t self:udp_socket { create getattr };
+    dontaudit sogou_t self:tcp_socket { create getattr };
+')
+
+# Terminal output
+userdom_use_user_terminals(sogou_t)
+
+# Configuration, Data files - read
+allow sogou_t sogou_data_t:dir list_dir_perms;
+allow sogou_t sogou_data_t:file read_file_perms;
+allow sogou_t sogou_conf_t:file read_file_perms;
+
+# tmp files - create, read, and write
+allow sogou_t sogou_tmp_t:dir create;
+allow sogou_t sogou_tmp_t:file { open write };
+
+# dont write /tmp
+#files_dontaudit_access_check_tmp(sogou_t)
+files_dontaudit_leaks(sogou_t)
+
+# dont read config_usr_t
+dontaudit sogou_t config_usr_t:dir read;
+
+# dont create /home/ subdir
+userdom_dontaudit_manage_user_home_dirs(sogou_t)
+
+# start sogou-qimpanel
+# dont get xattr
+#allow sogou_t fs_t:filesystem getattr;
+fs_dontaudit_getattr_xattr_fs(sogou_t)
+
+# execute bash script /usr/bin/sogou-session
+#!!!! WARNING: 'shell_exec_t' is a base type.
+#allow sogou_t shell_exec_t:file { execute execute_no_trans };
+
+# execute fcitx-remote
+#!!!! WARNING: 'bin_t' is a base type.
+#allow sogou_t bin_t:file { execute execute_no_trans };
+corecmd_dontaudit_exec_all_executables(sogou_t)
+
+# read /var/lib/dbus/machine-id
+#allow sogou_t system_dbusd_var_lib_t:file { read getattr open };
+
+# read .config/fcitx/dbus/, write .config/fcitx/config
+#allow sogou_t config_home_t:file { getattr read write open };
+
+# execution memory
+allow sogou_t self:process execmem;
+
+# dont read /etc/passwd
+auth_dontaudit_read_passwd(sogou_t)
+
+# dont read /proc/meminfo
+#kernel_read_all_proc(sogou_t)
+kernel_dontaudit_read_system_state(sogou_t)
+kernel_dontaudit_getattr_core_if(sogou_t)
+
+# dont read /var/lib/dpkg/status
+#!!!! WARNING: 'var_lib_t' is a base type.
+dontaudit sogou_t var_lib_t:{ file dir } read;
+dontaudit sogou_t var_lib_t:file { open getattr };
+dontaudit sogou_t { file_type device_node }:{ chr_file blk_file sock_file lnk_file } { getattr read };
+
diff --git a/rpms/SPECS/sogou/sogoupinyin.spec b/rpms/SPECS/sogou/sogoupinyin.spec
index a2229b9a..dfbf68b6 100644
--- a/rpms/SPECS/sogou/sogoupinyin.spec
+++ b/rpms/SPECS/sogou/sogoupinyin.spec
@@ -1,23 +1,59 @@
 %global debug_package %{nil}
 %define _xinitrcdir %{_sysconfdir}/X11/xinit/xinitrc.d
 
-Name:		sogoupinyin
-Version:	2.0.0.0066
-Release:	1%{?dist}
-Summary:	Sogou Pinyin input method
-Summary(zh_CN):	搜狗拼音输入法
-
-License:	Proprietary and GPLv2
-URL:		http://pinyin.sogou.com/linux
-Group:		Applications/System
-Source0:	http://cdn2.ime.sogou.com/dl/index/1445002254/%{name}_%{version}_amd64.deb
-Source1:	http://cdn2.ime.sogou.com/dl/index/1445001029/%{name}_%{version}_i386.deb
-
-BuildRequires:	dpkg
-Requires:	fcitx >= 4.2.8.3
-Requires:	fcitx-configtool
-Conflicts:	fcitx-sogoupinyin
-Obsoletes:	sogou-pinyin < %{version}-%{release}
+# sogoupinyin-selinux conditional
+%if 0%{?fedora} >= 21 || 0%{?rhel} >= 7
+%global  with_selinux  1
+%endif
+
+%if 0%{?with_selinux}
+%global  selinuxtype   targeted
+%global  moduletype    apps
+%global  modulename    %{name}
+
+# Usage: _format var format
+# Expand 'modulename' into various formats as needed
+# Format must contain '$x' somewhere to do anything useful
+%global _format() export %1=""; for x in %{modulename}; do %1+=%2; %1+=" "; done;
+
+# Relabel files
+%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/sogou* %{_datadir}/sogou* %{_datadir}/fcitx-%{name} /tmp/*sogou* /home/*/.config/{SogouPY*/,sogou-qimpanel/,Trolltech.conf} &>/dev/null ||:
+
+# Version of SELinux we were using
+%if 0%{?fedora} >= 21
+%global  selinux_policyver 3.13.1-105
+%else
+%global  selinux_policyver 3.13.1-39
+%endif
+%endif # with_selinux
+
+Name:       sogoupinyin
+Version:    2.0.0.0066
+Release:    2%{?dist}
+Summary:    Sogou Pinyin input method
+Summary(zh_CN): 搜狗拼音输入法
+
+License:    Proprietary and GPLv2
+URL:        http://pinyin.sogou.com/linux
+Group:      Applications/System
+Source0:    http://cdn2.ime.sogou.com/dl/index/1445002254/%{name}_%{version}_amd64.deb
+Source1:    http://cdn2.ime.sogou.com/dl/index/1445001029/%{name}_%{version}_i386.deb
+Source11:   %{name}.te
+Source12:   %{name}.fc
+Source13:   %{name}.if
+Source14:   Makefile
+
+BuildRequires:  dpkg
+Requires:   fcitx >= 4.2.8.3
+Requires:   fcitx-configtool
+Conflicts:  fcitx-sogoupinyin
+Obsoletes:  sogou-pinyin < %{version}-%{release}
+
+# RE: rhbz#1195804 - ensure min NVR for selinux-policy
+%if 0%{?with_selinux}
+Requires:   selinux-policy >= %{selinux_policyver}
+Requires(pre): %{name}-selinux >= %{version}-%{release}
+%endif # with_selinux
 
 %description
 Sogou Pinyin Input Method
@@ -32,9 +68,65 @@ China, and Sogou promises it will always be free of charge.
 
 %description -l zh_CN
 搜狗拼音输入法 - 专注输入法 20 年
-支持全拼简拼, 模糊拼音, 细胞词库, 云输入, 皮肤, 中英混输.
+支持全拼简拼双拼, 模糊拼音, 细胞词库, 云输入, 皮肤, 中英混输.
 通过结合搜索引擎技术, 提高输入准确率. 更多惊喜等您体验.
 
+如果您安装了 %{name}-selinux 并将 SELinux 设为 enforcing 模式, 则 SELinux 会
+保护您 home 目录的私有文件, 避免被 %{name} 访问. 同时, SELinux 默认也会阻止您
+安装皮肤和词库.
+
+皮肤保存在~/.config/sogou-qimpanel/skin/, 按以下方式安装:
+  $ sudo setsebool sogou_enable_homedirs=1
+  $ sogou-qimpanel Skin.ssf
+
+词库保存在~/.config/SogouPY/scd/, 按以下方式安装:
+  $ sudo setsebool sogou_enable_homedirs=1
+  $ sogou-qimpanel Cell.scel
+
+禁止 sogou 访问网络:
+  $ sudo setsebool -P sogou_access_network=0 # 默认: true
+
+允许 sogou 访问 home 目录:
+  $ sudo setsebool sogou_enable_homedirs=1   # 默认: false
+
+%if 0%{?with_selinux}
+%package selinux
+Summary: SELinux policies for %{name}
+BuildArch: noarch
+BuildRequires:  selinux-policy
+BuildRequires:  selinux-policy-devel
+Requires(post): selinux-policy-base >= %{selinux_policyver}
+Requires(post): selinux-policy-targeted >= %{selinux_policyver}
+Requires(post): policycoreutils
+%if 0%{?fedora} > 22
+Requires(post): policycoreutils-python-utils
+%else
+Requires(post): policycoreutils-python
+%endif
+Requires(post): libselinux-utils
+
+%description selinux
+SELinux policy modules for use with %{name}.
+
+If you do not want to %{name} access the network. Execute this command.
+
+  $ sudo setsebool -P sogou_access_network=0 # default: true
+
+Allow sogou access home dirs:
+
+  $ sudo setsebool sogou_enable_homedirs=1   # default: false
+
+%description selinux -l zh_CN
+适用于 %{name} 的 SELinux 策略模块.
+
+如果您不希望 %{name} 访问网络, 请执行以下命令:
+
+  $ sudo setsebool -P sogou_access_network=0 # 默认: true
+
+允许 sogou 访问 home 目录:
+  $ sudo setsebool sogou_enable_homedirs=1   # 默认: false
+%endif # with_selinux
+
 %prep
 # Extract DEB package
 %ifarch x86_64
@@ -43,7 +135,19 @@ dpkg-deb -X %{SOURCE0} %{_builddir}/%{name}-%{version}
 dpkg-deb -X %{SOURCE1} %{_builddir}/%{name}-%{version}
 %endif
 
+%if 0%{?with_selinux}
+pushd %{_builddir}/%{name}-%{version}
+mkdir selinux
+cp %{S:11} %{S:12} %{S:13} %{S:14} selinux/
+%endif # with_selinux
+
 %build
+%if 0%{?with_selinux}
+pushd %{_builddir}/%{name}-%{version}
+pushd selinux
+make
+popd
+%endif # with_selinux
 
 %install
 pushd %{_builddir}/%{name}-%{version}
@@ -177,6 +281,23 @@ for i in *;do
 done
 popd
 
+%if 0%{?with_selinux}
+# install SELinux interfaces
+%_format INTERFACES $x.if
+install -d %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+install -p -m 644 selinux/$INTERFACES \
+    %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+
+# install policy modules
+%if 0%{?fedora} > 22
+%_format MODULES $x.cil.bz2
+%else
+%_format MODULES $x.pp.bz2
+%endif
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 644 selinux/$MODULES %{buildroot}%{_datadir}/selinux/packages
+%endif # with_selinux
+
 %post
 /sbin/ldconfig
 INPUTRC=$(readlink /etc/alternatives/xinputrc|awk -F'/' '{print $6}')
@@ -192,6 +313,21 @@ if [ "$1" -eq "1" ]; then
     update-mime-database %{_datadir}/mime ||:
 fi
 
+%if 0%{?with_selinux}
+%post selinux
+# Install all modules in a single transaction
+%_format MODULES %{_datadir}/selinux/packages/$x.*.bz2
+%{_sbindir}/semodule -n -s %{selinuxtype} -i $MODULES
+if %{_sbindir}/selinuxenabled ; then
+    %{_sbindir}/load_policy
+    %relabel_files
+fi
+if [ $1 -eq 1 ]; then
+    %{_sbindir}/setsebool -P -N sogou_access_network=1
+    %{_sbindir}/setsebool -P -N sogou_enable_homedirs=0
+fi
+%endif # with_selinux
+
 %preun
 # uninstall
 if [ "$1" -eq "0" ];then
@@ -212,6 +348,17 @@ if [ "$1" -eq "0" ]; then
     /sbin/ldconfig
 fi
 
+%if 0%{?with_selinux}
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %{_sbindir}/semodule -n -r %{modulename} &>/dev/null ||:
+    if %{_sbindir}/selinuxenabled ; then
+        %{_sbindir}/load_policy
+        %relabel_files
+    fi
+fi
+%endif # with_selinux
+
 %files
 %defattr(-,root,root,-)
 %doc %{name}-%{version}/changelog.gz
@@ -230,8 +377,16 @@ fi
 %{_datadir}/sogou-qimpanel/
 %{_datadir}/%{name}/
 
+%if 0%{?with_selinux}
+%files selinux
+%defattr(-,root,root,-)
+%{_datadir}/selinux/*
+%endif # with_selinux
+
 %changelog
-* Thu Sep 24 2015 mosquito <sensor.wen@gmail.com> - 2.0.0.0066-1
+* Sun Oct 25 2015 mosquito <sensor.wen@gmail.com> - 2.0.0.0066-2
+- Add SELinux module (sogoupinyin 1.0.0)
+* Sat Oct 17 2015 mosquito <sensor.wen@gmail.com> - 2.0.0.0066-1
 - Update version 2.0.0.0066
 * Thu Sep 24 2015 mosquito <sensor.wen@gmail.com> - 1.2.0.0056-2
 - Remove depends